There have been occasions in the past where people went to MITRE, then CERT, then Red Hat, granted it's rare, but with the backlog and public perception (e.g. the coverage document that seems to have made some vendors think they can't get CVE's
at all) there is potential for messes, which I'd like to avoid (ounce of prevention and all that). I suspect once we all get faster at CVE's and train people to make better requests a lot of our problems will stop.

Ideally, the vendor would themselves be a CNA, covering their products regardless of the type of licensing model.

Not every company can be or wants to be a CNA, of course, so how do we handle those?

If there is another sector-based CNA (e.g., Healthcare systems) or a regional CNA (e.g., JPCERT), the company could work directly with those CNAs, who will facilitate the CVE assignment and disclosure regardless.

If neither of these situations fit, it will depend on how DWF manages their assignees. MITRE as a CNA has the advantage of being a trusted third party for vulnerability disclosure. When closed-source software is involved, that trust can be important. If DWF
creates that same level of trust with closed-source vendors, they could also fulfill that role. But this leads to some tricky scoping issues, and it could create situations similar to "CNA shopping" or introduce other coordination issues.

So increasingly we have "dual source" vendors, that is vendors with everything from fully OSI Open Source to completely closed source. Basically any large commercial vendor already (Microsoft, Oracle, etc.) and a growing number of others (witness
the proliferation of GitHub projects).

I would like to propose that for vendors where Open Source is a major part of what they ship, or the core of their commercial; product that the DWF be able to take them under it's wing as it were.

One hypothetical example that fits into this model would be a company like Ansible (let's ignore the fact that Red Hat acquired it and as such Ansible falls under the Red Hat CNA), Ansible currently has "ansible" which is the Open Source core, and Ansible
tower which is a currently closed source management/dashboard. I think in a case like this it makes sense to have a company like Ansible be a CNA under the DWF for both the Open Source parts and the closed source parts.